Help: Random bleepy music and explorer.exe crashes

Hi,

Below is the MBAM log and I have attached the OTS.exe as described in the first pinned post.

Brief notes: Something is very wrong. I plugged in my mobile broadband dongle and shortly after the laptop was connected wierd music played that sounded like it was from a classic ZX Spectrum adventure game. I cant stop it with volume control or even by disabling the sound devices…it sounds like its coming from the motherboard beeper…it last normally about 3 minutes and then goes??? Now sometimes it wont log on and if I do then sometimes it crashes and is noticeably slower than ever. Note that I have used avast for a ong time and it serves well! I used to use a fixed landline connection and have never had any popups. In the last month I am living away from home and am using a mobile internet provider via a dongle…since using this a number of avast popups have mentioned “blocking malicious site”. And now this…it alm ost seems as if my system was more vunerable using this dongle.

It took four restarts before I seem to have it running and not having crashed…yet.

Thanks in advance
Dziga Walker

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7287

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

26/07/2011 23:33:05
mbam-log-2011-07-26 (23-33-05).txt

Scan type: Quick scan
Objects scanned: 166735
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

sounds like you may have whistler rootkit ???

I don’t like the sound of the Whister!!! Quick web search reveals many unhappy people :-\

Here is the log from the aswMBR scan. Hope desperately that you can help.

Thanks again.

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-27 09:58:12

09:58:12.329 OS Version: Windows 6.0.6002 Service Pack 2
09:58:12.329 Number of processors: 2 586 0x1706
09:58:12.329 ComputerName: DZIGA-PC UserName: Dziga
09:58:14.170 Initialize success
09:58:14.404 AVAST engine defs: 11072700
09:58:28.897 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
09:58:28.897 Disk 0 Vendor: TOSHIBA_ LV01 Size: 305245MB BusType: 3
09:58:28.943 Disk 0 MBR read successfully
09:58:28.943 Disk 0 MBR scan
09:58:28.943 Disk 0 Windows VISTA default MBR code
09:58:28.959 Disk 0 scanning sectors +625141760
09:58:29.053 Disk 0 scanning C:\Windows\system32\drivers
09:58:38.054 Service scanning
09:58:39.614 Service sptd C:\Windows\System32\Drivers\sptd.sys LOCKED 32
09:58:40.207 Modules scanning
09:58:55.573 Disk 0 trace - called modules:
09:58:55.604 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbu.sys hal.dll >>UNKNOWN [0x876e3938]<<
09:58:55.604 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x88ee9ac8]
09:58:55.619 3 CLASSPNP.SYS[8c50a8b3] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x877de028]
09:58:56.399 AVAST engine scan C:\Windows
09:58:59.644 AVAST engine scan C:\Windows\system32
10:00:31.450 AVAST engine scan C:\Windows\system32\drivers
10:00:40.904 AVAST engine scan C:\Users\Dziga
10:05:49.768 AVAST engine scan C:\ProgramData
10:08:55.174 Scan finished successfully
10:09:28.621 Disk 0 MBR has been saved successfully to “C:\Users\Dziga\Desktop\MBR.dat”
10:09:28.621 The log file has been saved successfully to “C:\Users\Dziga\Desktop\aswMBR_LOG.txt”

No whistler,but you have this…suspicious

09:58:55.604 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbu.sys hal.dll >>UNKNOWN [0x876e3938]<<

so i will leave this for Essexboy. He is usually in here at 08:00pm - 11:59pm uk time

Thanks Pondus,

Something is definitely strange. I will await Essex Boy and given how many threads I have read on these forums with himself and yourself aiding many people I feel in safe hands…thanks again.

Another observation for you both while I wait:

The severity of this is now such that 4/5 times I boot, after logging on everything appears to freeze EXCEPT the mouse. I.e I get my normal desktop screen but not even the clock changes but the mouse works. It always seems to freeze when Avast AND/OR Malwarebytes is loading. The trouble is if I cant boot, I cant plug in my mobile 3G broadband dongle (3 Network in the UK) to get on the internet. I booted in Safe-Mode and using MSCONFIG disabled: Malwarebytes, BecHelperService.exe (which is apparently something to do with my broadband dongle) and RapportMgtService.exe (which is the security software my bank supplied).

Interestingly after disabling these it booted OK however after a second reboot back to strange things. I haven’t had any of the strange ZX spectrum music anymore though although it was very random when that would occur. When I connect through the dongle occasionally two firefox windows will open and appear to do nothing but I find this odd - Note I only use Firefox…I have an IE7 installed with the machine but I never use it.

Cheers
Dziga

Hi there - I must admit this appears to be a variation on Whistler - so lets investigate before I start killing

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

THEN

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 1 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter

It will ask for a file name and location - call it MBR.txt and place it on your desktop
Then exit the programme and attach the MBR.txt to your next post

Hi Essexboy,

MBRreport attached…apparently nothing was found.

MBR is good - so lets check out the drivers

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here we go…hope you can make more sense of it than me…

Cheers again

I can see it

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\users\Dziga\AppData\Local\Temp\mdxgthkn.sys

Driver::
mdxgthkn

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

OK, I’ve done as requested. File attached BUT some points perhaps you should note.

Started Combofix with the script you asked me to make and it did its thing as before…prior to writing a log it stated a restart was needed which it did. The log in screen came as normal, so I logged in and Combofix kicked in very early as the desktop loaded saying it was preparing the log file…All good. I then doubled clicked the mobile broadband launch icon and was told I wasn’t permitted as the item was related to a registry key set for deletion (or thereabouts). I tried Firefox which had the same error. Same for MS Word document. In fact the only software that worked was notepad. As I couldn’t get to the forum I just rebooted and now OK. Thought I should let you know as I wasn’t sure if I should reboot again.

Once again, thanks

Yes that happens sometimes - reboot and all will work again

What are your current problems ?

;D Everything seems OK…famous last words.

You are a legend. OK so realistically, assuming that its gone (any checks?) what should my set up be. I currently run Avast and have done for years with no probs ever, but only with WIndows Defender. Do you recomend I get full MBAM for malware protection. I used to use Spybot - Search & Destroy which I have just downloaded and installed but always thought this was for spyware and wasn’t a malware checker. Should I get a 3rd party firewall…I always heard that defender worked ok?

Thanks ever so much for your time.

Well essexboy will probably be in bed now, 00:22am in the UK now. He is likely to be back on-line around the same time he was in his last posts.

Generally he would ask you to monitor it for a day or so and if no problems get back on the forums and confirm that is the case He will remove his tools and probably give some general advice for you to follow.

I would say keep MBAM, as a secondary scanner, no need to purchase the full version, though it is a one of lifetime license. I believe it is much better than S&D and I’m not a great fan of Windows Defender (WD), if you had avast and MBAM it sort of depreciates the need for WD. However, WD is free, comes pre-installed on Vista (if correct then I believe you can’t uninstall it only disable it), it is a resident solution. So it would be your choice on what to do, but it has been a bit of a passenger in this.

Since you run Vista and you have IE7, it is capable of running IE8 and IE9 so preferably updating to IE9 would give you enhanced security in IE, especially if you use it as your default browser and since IE is an integral part of the OS you should always keep it up to date.

Hi hi,

OK just a couple of observations. I switched on this morning and Windows booted without problems.

  • However since doing the ComboFix, Avast no longer automatically boots on Startup. I’ve looked in MSConfig and there is no startup item yet there is an enabled and running Avast service. I can start Avast manually by going to the programs menu as one would any software, but surely Avast should be self booting as it always has
  • When I first contacted you guys I followed your primary instructions and installed Malwarebytes for a scan. Prior to the Combofix (but after my first MBAM and OTS scan) I suspected that while the desktop loaded it seemed most lockups timed coincidently with MBAM booting into the taskbar, so I disabled all MBAM in startup and services using MSCONFIG. Since “hopefully” getting cured I thought I’d reactivate MBAM startup and services - The result is that explorer locks up immediately upon loading, so I deactivated again. I have rebooted and opened MBAM manually and it opens & scans fine however if I switch on the “real-time” protection all goes to immediate lock up. I wonder if this is because it is a 14 day trial version???

Everything else seems to be behaving as normal.
Cheers
Dziga

Try a repair of avast:
XP - Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow.

Vista, win7 - Control Panel, Programs & Features, uninstall a program, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow.

You may need to reboot after the repair.

If that doesn’t work you could try:
It may just be the avastUI that isn’t running, as a temporary measure this is the C:\Program Files\AVAST Software\Avast\AvastUI.exe file, create a desktop shortcut.
Or
Creating your own startup entry, this is the info for my startup entry, see image.
Or
Do a reinstall of avast, left this as a last option as it is more hassle.

Cheers - the repair option has worked.

Do you use MBAM just as a free scanner or do you use its real-time protection module? As mentioned before, if I switch this on then everything locks up. Could this be a clash with Spybot S&D?

Finally (I want to try and ensure I never get malwared) as I said, I only use Firefox but the original IE7 is still on the machine - EVen though I dont use IE do you think I should update it to the latest version of IE9 or am I being overly pedantic?

Cheers
Dziga

If i where you i would remove SpyBot as it is not any good with todays malware

You’re welcome.

If you check my signature you will see I use MBAM Pro (with resident protection enabled) and no problems with avast, just add the c_windows\temp_avast_ to the MBAM Ignore List tab.

I too would suggest the removal of S&D if you have MBAM Pro.

Since IE is an integral part of your OS you should keep it up to date.

With firefox, I would recommend that you have the following add-ons, NoScript and AdBlockPlus. I also have RequestPolicy, but you may find that too noisy (you would be surprised just how many external sites are accessed by some sites), it prevents cross site scripting (so does NoScript but it isn’t as flexible), which is commonly used in these driveby attacks.

You would be advised to update to IE9 even if you rarely use IE

If there are no further problems my tools shall go ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

Uninstall ComboFix

Remove Combofix now that we’re done with it.

[*]Please press the Windows Key and R on your keyboard. This will bring up the Run… command.[*]Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.
[indent]
http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/CFuninstall.gif
[/indent][]Please follow the prompts to uninstall Combofix.[]This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.[*]You will then recieve a message saying Combofix was uninstalled successfully once it’s done uninstalling itself.

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: